Date: Tue, 30 Nov 2004 12:41:35 -0600 From: "James R. Van Artsalen" <james@jrv.org> To: Achim Patzner <ap@bnc.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 5.3 routing IPFW FWD'd packets? Message-ID: <41ACBEDF.3020001@jrv.org> In-Reply-To: <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net> References: <41AC571E.2020503@jrv.org> <7261A3E8-42C2-11D9-AC2A-000A95A0BB90@bnc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Achim Patzner wrote:
> Packets sent to the directly reachable net 192.168.254/8 (rule 64000)
> seem to work. Is it possible that packets are somehow being routed
> after being FWD'd by IPFW?
>
> The counters show that the rule is applied, too. Just the "fwd" part
> is not happening.
I'm suspicious of this code in netinet/ip_output.c:
#ifdef IPFIREWALL_FORWARD
...
fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL);
if (fwd_tag) {
if (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) {
dst = (struct sockaddr_in *)&ro->ro_dst;
bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
m->m_flags |= M_SKIP_FIREWALL;
m_tag_delete(m, fwd_tag);
goto again;
} else {
m_tag_delete(m, fwd_tag);
/* Continue. */
}
}
#endif
passout:
this seems to be where FWD is handled in this case. The problem is that
33 lines above I see this code:
/* Jump over all PFIL processing if hooks are not active. */
if (inet_pfil_hook.ph_busy_count == -1)
goto passout;
It looks like me like IPFW forwarding isn't going to happen here unless
there is some PFIL around.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41ACBEDF.3020001>